IoT and the Implications for Security Inside and Outside the Enterprise Richard Boyer CISO & Chief Architect, Security
1999 2020
INTERNET OF THINGS
THAT S GREAT BUT 4
ALL THINGS ARE NOT ALL EQUAL PERVASIVE NOT ALWAYS CONNECTED UNDERPOWERED AND SECURITY IS AN AFTERTHOUGHT
PERVASIVENESS OF IoT Creates New Infrastructure Dynamics IoT is on its way to being everywhere Especially in other people s infrastructures where you cannot control, modify or hold them accountable. Welcome to the EXONET The scope of IoT pervasiveness is bigger than the traditional Internet boundaries of internal and external and is a fundamental part of IoT. It exists in this greater exonet
WHY IS THIS IMPORTANT? LET S DO THE MATH Gartner 22,000,000,000 - IoT in 2017 * 50% = 11,000,000,000 - Enterprise IoT * 10% = 1,100,000,000 - Sensitive data/mission Critical * 10% = 110,000,000 - In the Exonet HP * 70% = 77,000,000 - IoT w/ security flaws in the Exonet 5,000,000 - Enterprise size companies Assumption Assumption Assumption TOTAL 15.4 138 Vulnerable IoT in the Exonet PER ENTERPRISE Other places in the enterprise
NOT NECESSARILY ALWAYS CONNECTED, YET CREATING MORE DATA, SOME OF WHICH WILL BE HIGHLY SENSITIVE
HOPELESSLY UNDERPOWERED Many IoT devices are low power, low memory, and slow processors Existing security software is too heavy IoT devices may exist in environments where security cannot impact existing infrastructure Existing security paradigms are incompatible IoT devices may have intermittent connectivity Many existing security concepts require significant bandwidth and are always on
SECURITY IS AN AFTERTHOUGHT A large percentage of the current IoT, even in the enterprise, is driven by consumer market thinking.* * If you are worried about selling you the next thing, why would I care about the existing thing? According to Gartner, we ll have 20B additional IoT devices in the enterprise in the next three years 1. According to HP, 70% of existing products have security flaws 2.
IN IoT, PERHAPS, OUR OLD PARADIGMS NEED RETHINKING
WHAT GUIDANCE DO WE HAVE? 5.1 Network Segmentation and Segregation... Network segmentation and Segregation is one of the most effective architectural concepts that an organization can implement to protect its ICS....... There are four common themes that implement the concept of defense-in-depth... 1. Technologies at more than just the network layer. 2. Least privilege and need-to-know. 3. Separate information and infrastructure 4. Implement whitelisting 5.3 Firewalls... Firewalls can further restrict ICS inter-subnet communications between functional security subnets and devices. By employing firewalls to control connectivity to these areas, an organization can prevent unauthorized access to the respective systems and resources within the more sensitive areas. Firewalls for intra-site communications Is this practical in an Exonet world? Absolutely, in some cases. In many cases, probably not
A STRATEGIC CHANGE IN IOT SECURITY THINKING DISTRIBUTED TRUST MUTABILITY AUTONOMY DISPOSABILITY
IoT NEEDS TO HAVE DISTRIBUTED TRUST BUT FIRST, HOW DOES HIERARCHICAL TRUST WORK? Root Certificate Authority Issues Certificate That is embedded in Browser Issues root certificate to lower level authority The browser then can verify the whole chain and trust the connection to the server Intermediate certificate authorities Web Server Issues root certificate to lower level authority Issues certificate to web server Lower level authorities Even Lower level authorities Issues root certificate to lower level authority Any point of compromise in the trust chain, compromises everything below it Now imagine this when you operate 10,000 s of iot devices 14
IoT NEEDS TO HAVE DISTRIBUTED TRUST DISTRIBUTED TRUST ALIGNS WITH DISTRIBUTED IOT Any compromise to any authority Does not compromise the certificates Or any other authority End point receives all parts and assembles certificate. And we already use variations of this commonly in places like P2P networks and things like the space shuttle and aircraft avionics And we can have authorities anywhere 3 or more trust authorities generate part of the certificate and provide to end point 15
IoT NEEDS TO HAVE DISTRIBUTED TRUST With IoT distributed trust lays the foundation for identity everywhere in IoT: The more sensitive the data of an IoT device, the more assurance we need that the data is valid and from the expected source (proof of identity) The more inside exonet we are, the greater the risk of communication disruption, reachability and verification. And the more devices we have, the greater our need for devices to perform confident validation between themselves at the edge and beyond. 16
MUTABILITY CHANGE THE IoT GAME Question to the audience How many people here apply software patches to their phones and laptops moment they become available? How about in our data centers? Cloud Applications?? Simple answer we don t, the risks are too great. Why is that? 17
MUTABILITY CHANGE THE IoT GAME We ve been very good at building fragile applications How many applications are running in the data center UPDATE that restating them takes a 100 step procedure. If we have have a data corruption and have to recover well that s just a disaster Can t we do something different in IoT while a great many of our devices are still simple? 18
MUTABILITY CHANGE THE IoT GAME One potential way to address this is to build in mutability from the beginning and operationalize it. Every so often (Monthly? Weekly? Daily?) blow away the software and the firmware and maybe even add or remove functions regularly, operationally. As as we go along and make IoT complex, if we keep this up, we ve now solved so many security and operational risks. 19
AUTONOMY THINGS NEED THEIR OWN SPACES Thing Thing Thing Bad guys and malware need to reach your things to do most of their work. Being in a completely separate cryptographic communications space closes many holes. Thing Thing 20
DISPOSABILITY In all of security, remediation is probably the hardest task. How do we get back to where we were? How do we fix our problems? How do we do that quickly? Things are not desktops, or servers, or SaaS or any of those traditional human -oriented systems. We need to build many of our things with the assumption, they are, indeed disposable. When something happens, rip and replace. In fact, maybe we should even do this periodically as standard operating procedure
BRING IT TOGETHER DISTRIBUTED TRUST MUTABILITY AUTONOMY DISPOSABILITY Distribute Trust so IoT devices can manage identity from anywhere. Make IoT devices mutable so that we can update constantly Put IoT devices inside their own separate security networks separated from their physical network presence with existing low cost protocols. Dispose and replace at the first sign of issue as a standard practice 22
BRING IT TOGETHER SAID ANOTHER WAY KNOW IF IDENTITY CHANGES CONSTANTLY UPDATE TO LIMIT ATTACKS KEEP OUR THINGS SEPARATE Make Identity easy and everywhere that way we know compromise occurs By constantly updating and replacing, we limit the scope (or stop) the attack BUILD TO DISPOSE AND REPLACE Devices completely separated from the wild west of our internal and public networks you limit or remove the ability to compromise, what you cannot reach cannot be attacked. Operationalizing hacking is expensive, repeating that success is cheap. When we are able to dispose & replace cheaper than the bad guy, we tilt the costs back into our favor. 23
ACCELERATING THE TRANSFORMATION OF IDEAS FROM LAB TO MARKET http://www.ntti3.com https://twitter.com/ntti3 https://www.linkedin.com/company/nttinnovationinstitute https://www.facebook.com/nttinnovation https://www.youtube.com/user/ntti3channel 24